There are three main modes in which Snort can be configured: sniffer, packet logger, and network intrusion detection system.

Sniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console.

Packet logger mode logs the packets to the disk.

Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set

The main distribution site for Snort ishttp://www.snort.org. Snort is distributed under the GNU GPL license by the author Martin Roesch. Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching.

Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the foreign host. In our lab, we start using Snort as a packet sniffer and a packet analyzer. Apart from running in a promiscuous mode, we will also see how it will help us log interesting IPs. Using Snort as a packet sniffer and packet analyzer is an easy process. The man pages are very helpful.

From the command line prompt we set Snort to a verbose display of the packets sniffed and analyzed. e.g. - The command given below captures all the packets belonging to the class C internal IP's of the type 192.168.20.*.

C:\>snort -v -d -e -i etho -h 192.168.20.0/24-1 log

The '-v' switch brings forth a verbose response.

The '-d' switch helps in dumping the decoded application layer data

While '-e' shows the decoded Ethernet headers.

The '-i' switch specifies the interface to be monitored for packet analysis.

The '-h' switch specifies which class of network packets has to be captured.

The -l option tells snort to dump the packets in the log file.

The packets are captured in hex format by default (this can be changed to binary -b) and sorted by IP address to facilitate easy mapping and decoding of data.